07-30-2012 01:15 PM - edited 02-21-2020 06:14 PM
Hello,
One of our routers has multiple IPSec site-to-site VPNs and the public IP of our router needs to change as ISP is changing. I was wondering if there is a way I can migrate the IPSec VPNs on this router one by one instead of having all of them (remote side) to change the peer IP at the same time. I know you can assign a secondary IP address to the interface and try to bring the IPSec VPN using secondary IP address, but I am not sure if that is reliable. Does any one know of any other better way to do this?
Thank you.
07-31-2012 12:31 AM
How about something like that: Plug in new ISP to a sparate L3 interface, apply same crypto map (I'm assuming non-static or lack of RRI) , start migrating routing for VPNs (both peer IP and subnets) and make sure remote ends specifcy both IPs (old and new ISP assigned IP).
08-08-2012 12:19 PM
Thanks Marcin, I'll try that out.
08-14-2012 12:33 PM
Hello Marcin,
Is there a way if its a static crypto map?
08-14-2012 11:56 PM
With static crypto map it's a bit easier, you can choose which ISP is going to be chosen by setting routing for static peers via one interface or another.
You most likely need to do similar thing to subnets reachable over VPN if you want full reliability - you can also try with RRI "reverse-route static"under crypto map entries for IPsec to populate routing table for you.
M.
08-15-2012 07:39 AM
Marcin,
I dont understand. When I am changing the IP address on an interface where crypto map is applied, remote VPN sites need to change their peer IPs. Since I wanted to migrate remote VPNs to the new IP one by one and not all at once how would that work?
Also I dont have additional interface on the router to create a new interface with new ip address and separate crypto map. Current setup has Ethernet interface with crypto map applied to it.
Thank you.
08-16-2012 02:20 AM
You can still use subinterfaces (dot1q tagged) they are L3 on routers.
But regardless, you can start adding remote peers to have both IP address as their peering points (both new and old ISP IP addresses). During transition if they will fail with one ISP they will try to establish with abother
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide